← All laws

Compliance · CSSF amendment

CSSF 25/883, the amendment aligning 22/806 with DORA.

CSSF Circular 25/883 of 9 April 2025 amends Circular 22/806 to align its requirements with the DORA Regulation (EU 2022/2554), applicable since 17 January 2025. Four structural amendments, immediately applicable, to avoid dual compliance between 22/806 and DORA.

Build my quote → Contact us
Luxgap explorer
Browse the 5 articles of the law, with Luxgap practical guidance
Browse articles →

Who is concerned?

Same addressees as CSSF 22/806: credit institutions and PFS (LSF), payment and electronic money institutions (LSP), investment fund managers (CSSF 18/698), UCITS management companies, central counterparties (CCPs), approved publication arrangements (APAs) and approved reporting mechanisms (ARMs), market operators, central securities depositories (CSDs), administrators of critical benchmarks.

Practically, the scope is now divided into four cases, depending on whether the entity is in the DORA scope and on the type of outsourcing (ICT or non-ICT).

Key obligations

  • Amendment 1: 22/806 introduction reworded to reflect entry into application of DORA.
  • Amendment 2: formal definition of DORA Regulation added to Part I Chapter 1.
  • Amendment 3: scope restructured into 4 cases (DORA entities, non-DORA entities, removed entities, Article 125-1 management companies).
  • Amendment 4: removal of cloud-specific contractual clauses (EEA law and EEA resilience), now covered by DORA.
  • Read together with CSSF Circular 25/882 on requirements for using ICT third-party services for financial entities subject to DORA.

Deadlines

CSSF 25/883 has been in force since 9 April 2025, immediate application. The DORA Regulation it aligns with has applied since 17 January 2025. Concerned entities must immediately identify which case (a, b, c or d) they fall under and adapt their outsourcing mapping accordingly.

Sanctions for non-compliance

25/883 does not create specific sanctions: it amends 22/806 whose sanction regime remains applicable (compliance orders, administrative sanctions, restrictions or suspension of authorisation, pecuniary sanctions, withdrawal of authorisation for serious breaches).

However, for ICT requirements transitioning under DORA (cases a and c), DORA sanctions now apply: up to 1% of average daily worldwide turnover for critical ICT third-party providers, with daily fines for failing to comply with injunctions.

How Luxgap helps

We support CSSF entities with 25/883 diagnosis and 22/806 / DORA articulation:

  • Positioning audit: which case (a/b/c/d) are you in? Which part of your outsourcing setup falls under DORA, under 22/806, or both?
  • Outsourcing policy update and provider register to reflect 25/883 amendments and articulation with DORA.
  • Cloud contractual clauses migration: adapting contracts to the DORA framework (Article 28 and mandatory DORA contractual clauses).
  • CSSF inspection preparation integrating 25/883 + DORA + CSSF 25/882.

Let's diagnose your 25/883 positioning.

Configure a quote for a 22/806 / DORA positioning audit, or for full compliance covering 25/883 and 25/882. Reply within one business day.

Build my quote →